The Department of Homeland Security announced Friday that the Cyber Safety Review Board’s next investigation will focus on the Lapsus$ hacking group.
The decision to focus on a hacking group represents a departure from the body’s inaugural investigation, which reviewed a specific cyber vulnerability. That report focused on Log4j, a vulnerability in a widely used logging library. This time around the CSRB will study the actions of Lapsus$, a notorious hacking group that has targeted a slew of companies and attempted to extort them in exchange for not releasing stolen data.
In September, British police arrested a British teenager as part of an investigation into a major hack of Uber. The company has said it is working closely with the FBI and that it believes Lapsus$ is responsible for the intrusion.
“The ongoing Lapsus$ hacks represent just the type of activity that merits a fulsome review and can provide forward-looking recommendations to improve the nation’s cybersecurity in the near term,” Secretary of Homeland Security Alejandro Mayorkas told reporters Friday morning.
Mayorkas’ description of Lapsus$ as an “ongoing” threat actor raised questions about whether the CSRB’s work could lead to a prosecution. Mayorkas declined to comment, referring questions to the Department of Justice.
Modeled on the National Transportation Safety Board’s review process for accidents, the CSRB brings together officials from government and industry to study major breaches and vulnerabilities. DHS officials said the CSRB will develop “actionable recommendations” for how organizations can protect themselves against attacks similar to those from Lapsus$.
DHS Undersecretary for Policy and CSRB Chair Rob Silvers told reporters that Lapsus$ is the perfect target for the CSRB’s next review. Silvers described Lapsus$ as a global, extortion-focused hacker group that has launched attacks on some of the world’s “most well-resourced companies.”
“This is exactly the type of review that will benefit network defenders across this country,” Silvers said.